Disposable Email Vulnerabilities

by StankDawg  (stankdawg@stankdawg.com)

The spam epidemic has gotten horribly out of control.  We all know that.

Many solutions are being attempted to avoid spam from legislation to technical alternatives.  Filtering is not an exact science and it never will be.  Blacklisting sites and servers is unrealistic because one server can be tainted by one user.  Another recent phenomenon has been the onset of "disposable" email accounts.  Some sites that offer these services are dodgeit.com and mailinator.com but there are several others scattered around the web.

A disposable email account is one that is not consistently used or tied to an individual person.  Personally, I have created accounts on my own server for this very purpose and then deleted the account after I was done with it.  Not everyone has the luxury of having their own server to do this.  To meet that need, some sites have appeared that allow any user to create a disposable account to get a reply or information without fear of the influx of spam that may result from requesting information from some site.

You could use this to sign up to a mailing list for example.  You can then check in on that account to read the mailing list without fear of them selling your address around to other lists or spammers.  You might also use this is a one-time disposable message center.  Perhaps you want to post to a site and want replies to a question but not get flooded with responses or have your real email address made public.  These are perfect examples on how and why to use this type of account.  Specifically, the mailing list example is a good way to add RSS content to your site without the spam.  Many of these sites (dodgeit.com for example) generate a news feed using RSS that you can add to your site.  Mailing list content that you control!

Keep in mind that due to the nature of these systems, they provide free access for anyone to use them at any time.  This means that these disposable email sites do not have account validation of their own.  That could be an ironic mess!  What they do is allow anyone to access any account at any time.  That way, there are no passwords to deal with and no account set up of any kind.  Anybody can use the service and nobody is excluded.  It's a spam solution for everyone!

This leads me to the first problem with these systems as they are now.

Once again, due to the nature of these systems, they are meant to be disposable and used as described above.  Disposable accounts were not intended to be used for any type of real mail usage although, theoretically, they could be.  That is why I call them "disposable."  In fact, you will find that there is no "delete" function on these services.  What need would there be for a delete function on a disposable account anyway?  The system will delete files every 30 days or whatever the system is set for.  Another reason to not have a delete function is the fact that I mentioned earlier about anyone accessing any other account.

All it would take is a few ne'er-do-wells to go in and delete your confirmation messages before you can get to them.  Someone could even delete everything in your mailbox just to be a jerk.  If you think that would be too hard to maintain and figure out, trust me when I tell you that it could easily be scripted to do this with no manually intervention.  This is not even the biggest problem with these systems.  It is the misuse of them that could really get you 0wned.

The big mistake that people make with this kind of account is that they try to use it for things that quite simply, they should not.  Some people may think that registering for a forums site or a Content Management System (CMS) with a disposable account may be a good idea to avoid potential spam or revealing their real email address in a questionable environment.  But understanding how a forum works is crucial.  If the forum doesn't validate any emails, then it will be fine.  Most forums, however, will make you validate the email address by sending a confirmation password to that address that you must enter to complete the registration process.  There you go sharing your account information including password, with the world.

Since that disposable email account is open to the world, anyone can check your mail.  All they need to know is the account name.  If they registered with a forum site for example, it can easily be looked up in the members list.  Go back and check their "disposable" email account and see if they left the email there.  Remember, there is no delete feature on these systems!  If it is still in the system, you will see the site and the password.  People who are using a disposable email account to register for a site are usually too lazy to change their password.  I can tell you as a matter of fact that this happens quite frequently.

Also, keep in mind that these services are web-based.  "So what?" you may say.  Well, in the example above I mentioned that if you noticed someone at a site or went digging through a site for those email addresses you would find them.  No one really wants to manually search for people.  So we look to automate things.  Since these are web services, guess what crawls out every so often and picks them up?  That's right, spiders from search engines!  If you haven't already dropped this book to try it, stop and do a Google search for "@dodgeit.com" and see what you can find.  If the site is designed properly, they will prevent spiders from finding the actual mailboxes on the disposable email site (which they do) but other sites where people are posting or using the disposable email addresses usually do not.

I also want to emphasize that just because the initial emails with passwords may have been rolled from the system, that doesn't mean anything.  There is a fatal backdoor that exists here.  It is actually the true definition of a backdoor!  Even if you miss the original confirmation email, or even if they changed their password right away as suggested, almost every site offers a password recovery system for their users.  All a person would have to do is go to that password recovery request and have a new password sent to the original email address, which is... you guessed it, public!  Any account that has been registered with any of these "disposable email accounts" can be backdoored.  And if you think this isn't a danger, imagine the identity theft that could take place!  Opening eBay accounts under your account, changing other information on a site, the list goes on.

This is not only an open invitation for a person to have their account owned and be spoofed by someone else.  It could actually be worse than that.  Those of us who run websites may now have people using the system who have taken over someone else's account.  They are now in the system, with no valid email, so that they can wreak havoc on your system if they wanted to without fear of repercussion.  Obviously, you could check the logs but they simply use a proxy to avoid detection without much deeper means of investigation.

What can and should be done about these problems?  Well, that is for you to decide.  As a user of these services, I can simply recommend that you be careful and think out the dangers of using these services.  Do not put any personal information on them or have personal information sent to them.  Do not use them to register with sites where your password will be mailed to you.  If you do, for crying out loud go check the email right away and then go in and change your password immediately!  Doing that will keep you from being spoofed on a site but it still lets the world now that you are registered at that site, so you have lost some privacy in general.  Keep that in mind when you register for your assorted pr0n sites.

What if you are a webmaster of a site and you are concerned about this?  You also have to make your own choices.  You may decide to not allow users to register form these known sites.  Many sites do not allow Yahoo! Mail or Hotmail or other public mail account users to register.  These sites can be treated the same way.  You can send your passwords encrypted somehow but this makes it tougher for non-tech savvy users to complete registration.  It would, however, be safer for your site.  Certainly you should force your users to change their password immediately when they register so they do not leave that default password working.

Finally, I do not see why with so many public email services available, why people don't just create a new Gmail account, or Yahoo! Mail account, or Hotmail account.  The list of options is endless.  These accounts would be password protected, but you could still treat them as disposable account.  Use them once then forget about them.  Register them against the disposable services listed above for two layers of protection!  That little extra step will pay off.  But instead of using Gmail or Yahoo! Mail, we decided it would be better to just create our own service.

When I first wrote this article, I originally suggested that the reader could set up a new mail service that could eliminate the problems mentioned earlier.  It so happens that I had a domain registered just as a test bed for different projects that we work on.  I thought it would be a good idea to turn this site into a disposable email service that actually protected your privacy and anonymity while provided spam protection.  The fact that it creates funny email address is bonus.  It was a simple matter of designing a database that interacted with the mail server to automatically create temporary accounts on the mail server and delete them after a certain amount of time.  This project is WillHackForFood (http://www.willhackforfood.biz) or "WH4F."

What makes this service different?  Firstly, it offers password protection!  Secondly, it offers the ability to delete emails.  Both of these are offered through a web mail front-end that no one else can access without a password.  What this also does is lock the backdoor.  Sending password change requests will not work for two reasons.  One, they will not have the password to your account (unless you do something stupid), and two, the accounts all have expiration dates!  The whole point of a disposable email account is that it be temporary.  We designed our database to have a user-defined expiration date (seven days maximum) for the account time-to-live.  After the expiration date is passed, the account is deleted by a cron job and permanently locked in the database to prevent it from ever being used again.  This includes the original user.  If you wanted a reusable account, then you shouldn't have used a disposable email service.

We designed the database to be very simple, yet powerful at the same time.  It only keeps the minimum amount of data to automate the service, and the password is not one of them.  That is handled by the mail server alone to avoid another point of attack.  We are using a web mail client (still undecided at this point, but probably SquirrelMail) to handle the interface, so that code base was already done, we simply implemented it.  Nick84 wrote the base code and we all worked together modifying it from there.  The site is tested and up and running, so please feel free to use it.  It is a free service from the Digital Dawg Pound to help protect your privacy and avoid spam.  We use it.  We like it.  We hope you do too.

Further research: dodgeit.com, mailinator.com, Google "related:", willhackforfood.biz

Shoutz: The DDP, particularly nick84 for writing the base code, ld@blo, Decoder, lucky225, squirrelmail.org.

"The Revolution Will Be Digitized"

Return to $2600 Index